Thanks for taking the time to reproduce this - so now I know its not just me :) And to your point about connecting with a local path vs. a network path, I noticed that too - permissions are correct when accessing anything locally, but when accessing via a network path (even if it is to your own machine), will reproduce this issue.
Can any developers weigh in as to where the core of the problem might lie and/or how it would possibly be fixed? Thanks, David -----Original Message----- From: cygwin-ow...@cygwin.com [mailto:cygwin-ow...@cygwin.com] On Behalf Of Erik Soderquist Sent: Friday, February 12, 2016 5:04 PM To: cygwin@cygwin.com Subject: Re: Possible Security Hole in SSHD w/ CYGWIN? With the precise steps listed/demonstrated, I've reproduced it I connected with ssh as a normal user using a private key, and cd'd to //server/c$/ successfully, and in the Windows active sessions, it does indeed show "cyg_server" as the connected user, not the user I logged in with. Trying this using a password rather than a private key behaves as expected. Taking this a step further, I created a new directory from Windows Explorer and reset the permissions to explicitly deny access to the normal user I tested with. Then I tried to cd to /cygdrive/c/access_denied_test/ and received the expected access denied message, but when I tried to cd to //server/c$/access_denied_test/ I succeeded, and was able to create new files in the directory. I can provide screen shots of the reproduction without the need to redact quite so much. -- Erik -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
